[SR-Users] Crash in usrloc, get_all_db_ucontacts

Kristian F. Høgh kfh at uni-tel.dk
Tue Jan 13 15:08:52 CET 2015 

Hi,

On an ancient kamailio 3.1, we occasionally experience crash in the function get_all_db_ucontacts in usrloc.

A backtrace reveals the following:
#0  0x00002b505f2fb4ff in get_all_db_ucontacts (buf=0xadd270, len=<value optimized out>, flags=64, part_idx=1, part_max=30) at dlist.c:176
176                             if (VAL_NULL(ROW_VALUES(row)+4) || p1==0 || p1[0]==0){


The lines around line 176 (which look similar to trunk, except p and p1 are str today)
    159                 for(i = 0; i < RES_ROW_N(res); i++) {
    160                         row = RES_ROWS(res) + i;
    161 
    162                         /* received */
    163                         p = (char*)VAL_STRING(ROW_VALUES(row));
    164                         if ( VAL_NULL(ROW_VALUES(row)) || p==0 || p[0]==0 ) {
    165                                 /* contact */
    166                                 p = (char*)VAL_STRING(ROW_VALUES(row)+1);
    167                                 if (VAL_NULL(ROW_VALUES(row)+1) || p==0 || p[0]==0) {
    168                                         LM_ERR("empty contact -> skipping\n");
    169                                         continue;
    170                                 }
    171                         }
    172                         p_len = strlen(p);
    173 
    174                         /* path */
    175                         p1 = (char*)VAL_STRING(ROW_VALUES(row)+4);
    176                         if (VAL_NULL(ROW_VALUES(row)+4) || p1==0 || p1[0]==0){
    177                                 p1 = NULL;
    178                                 p1_len = 0;
    179                         } else {
    180                                 p1_len = strlen(p1);
    181                         }

The client from frame #2 (bt full below), send a REGISTER, which was replied "200 OK" at the same second as the crash.
Is it a timing issue between REGISTER and nathelper ping?

I have a trace and the core.

Regards,
Kristian Høgh
Uni-tel



bt full
#0  0x00002b505f2fb4ff in get_all_db_ucontacts (buf=0xadd270, len=<value optimized out>, flags=64, part_idx=1, part_max=30) at dlist.c:176
        sock = 0x0
        dbflags = 11088
        host = {s = 0x375ef8e "PROXY_IP:5060", len = 13}
        i = <value optimized out>
        row = 0xa13488
        dom = 0x2b5062723278
        p1 = 0x2 <Address 0x2 out of bounds>
        now_s = "'2015-01-13 12:58:51'\177\000\000)"
        port = 11088
        p_len = 73
        cp = <value optimized out>
        needed = 16
        res = 0xa2ed38
        p = 0xcfcdffaf <Address 0xcfcdffaf out of bounds>
        now_len = 21
        proto = 1642847400
        p1_len = 0
        shortage = 0
        query_buf = "select received, contact, socket, cflags, path from location where expires > '2015-01-13 12:58:51' and cflags & 64 = 64 and id % 30 = 1", '\000' <repeats 376 times>
        query_str = {s = 0x2b505f515520 "select received, contact, socket, cflags, path from location where expires > '2015-01-13 12:58:51' and cflags & 64 = 64 and id % 30 = 1", len = 135}
#1  get_all_ucontacts (buf=0xadd270, len=<value optimized out>, flags=64, part_idx=1, part_max=30) at dlist.c:398
No locals.
#2  0x00002b5061eb6b1a in nh_timer (ticks=<value optimized out>, timer_idx=<value optimized out>) at nathelper.c:1623
        rval = <value optimized out>
        buf = 0xadd270
        cp = <value optimized out>
        c = {s = 0x0, len = 0}
        opt = {s = 0x0, len = 0}
        path = {s = 0x0, len = 0}
        curi = {user = {s = 0x0, len = 0}, passwd = {s = 0x0, len = 0}, host = {s = 0xadd836 "CLIENT_IP:62252\250u\220", len = 14}, port = {s = 0xadd845 "62252\250u\220", len = 5}, params = {s = 0x0, len = 0}, sip_params = {s = 0x0, len = 0}, headers = {
            s = 0x7fff110134b0 "", len = 566862356}, port_no = 50336, proto = 70, type = ERROR_URI_T, flags = 65536, transport = {s = 0x8cbfa0 "", len = 5441948}, ttl = {s = 0x7fff1101352f "", len = 4448297}, user_param = {s = 0x375ef8e "PROXY_IP:5060", len = 13}, 
          maddr = {s = 0x9204b0 "sip3", len = 10677560}, method = {s = 0x0, len = 0}, lr = {s = 0xadd84a "\250u\220", len = 0}, r2 = {s = 0xa2ebc0 "\250\272\252", len = 285291296}, transport_val = {s = 0x40 <Address 0x40 out of bounds>, len = 335544320}, ttl_val = {
            s = 0x3221c302d0 "H\307\300\017", len = 0}, user_param_val = {s = 0x0, len = 0}, maddr_val = {s = 0x0, len = 0}, method_val = {s = 0x0, len = 0}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x0, len = 0}}
        he = <value optimized out>
        send_sock = <value optimized out>
        flags = <value optimized out>
        proto = <value optimized out>
        dst = {send_sock = 0x0, to = {s = {sa_family = 0, sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, 
              sin6_addr = {in6_u = {u6_addr8 = '\000' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, id = 0, proto = 0 '\000', send_flags = {f = 0 '\000', blst_imask = 0 '\000'}}
        iteration = 1
        __FUNCTION__ = "nh_timer"
#3  0x0000000000521c54 in fork_dummy_timer (child_id=<value optimized out>, desc=<value optimized out>, make_sock=<value optimized out>, f=0x2b5061eb6a70 <nh_timer>, param=0x0, interval=1) at timer_proc.c:71
        pid = <value optimized out>
#4  0x00002b5061eb42ee in child_init (rank=<value optimized out>) at nathelper.c:673
        i = 58055190
#5  0x00000000004db1d0 in init_mod_child (m=0x917dc0, rank=0) at sr_module.c:829
No locals.
#6  0x00000000004db1a9 in init_mod_child (m=0x918420, rank=0) at sr_module.c:826
No locals.
#7  0x00000000004db1a9 in init_mod_child (m=0x918aa0, rank=0) at sr_module.c:826
No locals.

More information about the sr-users mailing list